The widespread praise you hear for President Obama's cybersecurity initiative is the sound of no difficult decisions being made yet.

I read the policy review document prepared to outline the initiative and I agree with much of the commentary I've been reading: The broad goals seem laudable, the idea of having a coordinating authority in the government with real power is a good one, and the threats are worth addressing. I have two problems with the plan that I think are worth discussing: first, it focuses on certain security issues to the exclusion of others, a point which I think hasn't been communicated clearly to the public. And second, the devil is in the details, and we're nowhere near details yet.

What was revealed on Friday is not a plan to secure our infrastructure as much as a plan to develop a plan to secure our infrastructure. The next stages are where the difficult decisions are made, winners and losers chosen, and the tone of the lobbying will change. As an example, it's obvious that any plan to secure the infrastructure will have to deal with the DNS and probably include some motivation to move to a DNSSEC-based solution. The term 'DNS' appears once in the document and there as part of a broad historical context.

My major impression of the policy document, and I'd have to say my major disappointment, is that it seems designed to address perceived major threats to the national infrastructure, not the mundane threats that plague us every day. The best evidence of this are the "action plans" in the document, defining terse goals for the near- and medium-term. Major themes in these goals are first to organize government to take the mission seriously, then to coordinate between different governments and the private sector on it, and then to focus on incidents and responses to them. In other words, the focus is on the largely theoretical acute problems, not on the chronic ones.

A lot of IT security is based on what's in the news, what people are scared about. I'm always asked about cyber-pearl harbor, cyber-9/11, cyber-terrorism, but the real risks are much more pedestrian: cyber-fraud, cyber-crime, even cyber-espionage. so I think we tend to overestimate the spectacular, because that's what gets the news, and underestimate the pedestrian.

Like Schneier, the professionals who will do the real work here will know better, but President Obama made the same sort of sensationalistic references in his remarks Friday: "Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country."

What will the Obama plan do to mitigate the pedestrian threats to which Schneier refers? I see some glimmers of hope in here, but nothing specific, and it sounds as if any improvements that come will come by happy coincidence of improvements in government and major infrastructure operation.

I should say that there is time spent in the document on education, including Near-Term Action Item #6: "Initiate a national public awareness and education campaign to promote cybersecurity." It's true that a successful user education campaign could address all the pedestrian problems: educated users know to apply updates, not to click on the wrong things, how to recognize a fake e-mail, and so on. I just don't have a lot of confidence in the ability of education to make much of a difference with the average user. Security has to be designed into products assuming that users are going to screw up and either to save them from it or to mitigate the effects of their screwup.

There's little in the plan that I see to help protect end users against identity theft; perhaps protecting the large banks might do so, and a real move to DNSSEC would pre-empt what might be the future of phishing attacks. But most phishing happens much lower down than the major infrastructure to which the plan is targeted; individual hosting services that run outdated software, users who run old browsers and operating systems. The broad goals don't seem to encompass anything that would address the problems that lead to spam or malware. Nothing in it, other than the user education campaign, addresses the security of end-user systems, a huge percentage of the attack surface of the Internet.

Perhaps the problems that the plan ignores are best left ignored. It may be that government is far more likely to do ill than good in this regard. I just want to make sure that we're all clear on what's meant by "cybersecurity," a term that few in the industry use. Whatever comes out of this effort is not likely to directly help you and I, in spite of the fact that President Obama referred to these pedestrian problems in his remarks Friday, perhaps giving a false impression.

So this plan is all about protecting the government and big business, the roots of the Internet, not the smaller branches and leaves. Granted this is a legitimate area for government concern. Much of the politics of it in advance of Friday's announcements had to do with where the authority lay. In the campaign, Obama said that he would appoint a cybersecurity czar who reported directly to him, but this doesn't seem to be the case for the plan, which has the "Cybersecurity Coordinator" on both the National Security Council and the National Economic Council. The latter appointment is meant to protect business and economic interests from purely security concerns. There is also in institutional commitment to protection of privacy and civil liberties.

When rubber meets the road in these committees and the conflicts become evident, that's when we'll really have news worth writing about. Will Obama and the Coordinator make bold decisions, pissing off business or the security establishment or privacy or civil liberties advocates? Will the decisions be watered down to assuage as many of the people in these groups as possible? Will all the various groups in government and private industry take to the "coordination" or stall to protect more parochial interests? Will the process be open enough that we know what's being decided and why? It's a time of relatively high hopes for security problems, but recent history is not encouraging on any of these. Let's hope things go better this time.